STE WILLIAMS

Of particular interest for cybercriminals is the Domain Name System, which plays a central role in orchestrating all Internet and application traffic.

Security teams are laser-focused on protecting the crown jewels. And while they are pretty good at evaluating the security within their own environments, the outside world can be tougher, with new and emerging threats from the broader Internet born every day.

In fact, crimes from the Internet are on the rise, according to the FBI’s “2018 IC3 Annual Report.” The report found that Internet-enabled theft, fraud, and exploitation not only remain pervasive, but also were responsible for a whopping $2.7 billion in financial losses last year.

Of particular interest for cybercriminals is the Domain Name System (DNS), which plays a central role in orchestrating all Internet and application traffic. Threats and attacks against it are growing in frequency, with a recent example being the attack on secure, cloud-based messaging app Telegram.

Ultimately, it is up to enterprises to implement the necessary best practices to protect their networks and end users, according to Brian Zeman, COO of NS1. But first they need to better understand the landscape.

DNS: A Vehicle for Phishing
DNS is the fundamental vehicle used in phishing attacks, according to Paul Griswold, executive director, product management strategy, X-Force threat management at IBM Security. As such, when organizations accept the DNS that comes from their Internet service providers, they should realize it isn’t always “clean,” he says.

“A lot of times it’s something people just don’t think about. DNS is there. It’s provided by the ISP, and there’s not necessarily thought [about] all the different ramifications that can come from that,” Griswold said.

Companies that aren’t paying attention to their domain assets are more likely to see security risks, adds Mike Bittner, digital security and operations manager at The Media Trust.

“Not enough companies are fully managing their domain registries and, in some cases, even letting them go parse,” he says. “That’s where a lot of DNS attacks begin. They are repurchased, and the domain is used to actually compromise the DNS servers.”

Vulnerable Web Applications
While security pros tend to first think about phishing or DNS attacks as the most prevalent threats originating from the Internet, other, less obvious threats come from vulnerable Web applications, Bittner says.

“It’s the fact that security is not being implemented with an internal application, and the lack of security in Web applications is at the root of this problem,” he says.

Threats that originate from the Internet are compounded by the proliferation of devices connected to it. Every connected device is another attack vector for malicious actors, not to mention that Web applications are all too frequently given to users with a litany of vulnerabilities, Bittner says.

Additionally, drive-by downloads – malware that is downloaded from compromised websites – are occurring more frequently via JavaScript not only in third-party code, but through malicious websites. Victims have nothing more to do than navigate to a seemingly clean site that has been compromised. Without even clicking, they are automatically redirected to a ransomware site, Bittner explains.

“Your employees are on these sites, too,” he says. “This is happening in your network. If your home page is delivering JavaScript that eventually causes a drive-by download and you’ve got BYOD policies, that’s a phone on your network that has incurred another download.”  

Some Preventative Measures
According to the “IDC 2019 Global DNS Threat Report,” commissioned by EfficientIP, three in five organizations suffered application downtime and one-quarter experienced business downtime. In order to maintain business continuity and avoid the hefty price tag associated with brand damage, organizations are well-advised to implement security measures to protect against attacks from the Internet.

“Organizations need to deploy threat intelligence, brought from advanced DNS analytics, to enhance the ability to detect infected devices and malicious behaviors,” says David Williamson, CEO of EfficientIP. “Threat intelligence is an essential tool for timely attack prevention across the network, as well as for protecting data confidentiality.”

In addition, redundancy ensures that if one network falls under duress, another will subsume the queries for both of them. That ensures no query goes unanswered, according to NS1’s Zeman.

“It is important to have redundancy at every level of a server infrastructure, including the DNS host,” Zeman says. “Deploy a secondary DNS network.”

Zeman also recommends taking the following precautionary steps to protect the enterprise against threats from the broader Internet:

• Borrow a page from the cloud computing playbook and leverage a managed DNS solution with a globally distributed, anycast network that ensures high availability.
• Reinforce the authenticity of DNS query responses by implementing Domain Name Security Extensions (DNSSEC) across all zones in your control.
• Because DNS is a mission-critical service, administrative access to DNS management should be tightly controlled. Make sure to use strong password enforcement, two-factor, or multifactor authentication, and role-based access controls.
• When using zone transfers, whitelist the transfer IP addresses of your secondary providers and leverage TSIG (Transaction SIGnature) to sign the transfers with a private key and limit exposure.

All told, DNS can have a major impact on business continuity.

“Businesses have now recognized the importance of protecting the DNS as the vital first line of defense for overall network security, DNS attacks are still damaging,” EfficientIP’s Williamson says.

Related Content:

• Nation-State Hacker Group Hijacking DNS to Redirect Email, Web Traffic
• New Domains: A Wide-Open Playing Field for Cybercrime
• 6 Security Scams Set to Sweep This Summer
• 7 Tips for an Effective Employee Security Awareness Program

(Image: Adobe Stock)

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-every-security-team-should-know-about-internet-threats/b/d-id/1335180?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybersecurity expert Bart Stump explains what it’s like to reliably deliver a useful, high-security network for one of the toughest audiences in the world.

When you sign up to attend Black Hat USA in Las Vegas next month, make sure to leave time in your busy schedule to check out the Black Hat Network Operations Center (NOC), the heart of the Black Hat network.

The Black Hat NOC team meet months before the event to strategize the best way to deliver a high-security, high-availability network to one of the biggest cybersecurity events in the world. The fact that this event is packed with security researchers, hackers, and network experts makes the process of deploying and securing the NOC just that much more exciting.

In addition to visiting the NOC itself, Black Hat attendees are invited to attend the special debriefing session offered at the end of the show.

In this popular Briefing, NOC crewmembers run down the tools and techniques they use to set up, stabilize, and secure the network, and describe what improvements they’ve made over the past year. I recently asked NOC leader Bart Stump offers to share his insight into what the NOC crew does and why Black Hat attendees should pay attention.

Alex Wawro: Hey there! Can you tell us a bit about who you are and what you do

Bart Stump: Hello! My name is Bart Stump and I am one half of the NOC leadership at Black Hat. I have been working with Black Hat for 12 years now.

Alex: What does your average workload look like at a Black Hat event?

Bart: The US show is obviously our flagship show and brings a much higher workload leading up to and during the event. Myself, and a small skeleton crew arrive four days before the show starts to begin setting up the network. During the show, there is the regular maintenance and issues that we work to deal with as quickly as possible. We also have obligations with tours, media, and our NOC debrief at the end of the show.

Alex: What’s the most challenging thing about working in the Black Hat Network Operations Center?

Bart: I would say it’s being able to think on your toes as issues arise [because] they need to be resolved in order to not impact attendees or trainers and speakers. Being able to work as a team and trust those around me to do their part is what makes the NOC go, and keep everything as stable as we do!

Alex: What should attendees know about the NOC that they probably don’t?

Bart: Everyone is welcome to come see us, ask questions and stay involved with the work we do. If you have any questions, comments or concerns – we want to hear them! So come visit us and see what we do to keep Black Hat attendees safe!

Alex: Any fun stories from your time on the NOC Crew?

Tons! We have had many experiences over the years as the show continues to grow. From the friendships that I have gained and grown because of Black Hat, to the crazy network traffic we see every show, it is always fun and entertaining for sure!

P.S. we always have stories to tell at our debrief (which always helps close out Black Hat) and would be happy to share more there.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-qanda-inside-the-black-hat-noc/d/d-id/1335341?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

FBI head honcho Christopher Wray is rather peeved that you all think the US government is trying to weaken cryptography, privacy, and online security, by demanding backdoors in encryption software.

During a session at the International Conference on Cyber Security at Fordham University, New York, Wray backed a proposal mooted earlier this week by US Attorney General William Barr: that the cops and Feds should be able to spy on end-to-end encrypted chats and the like.

Barr basically wants mobile apps and other software used by people to hold private conversations and protect their files and information to be backdoored so police and g-men, armed with warrants, can gain access to and decrypt said data on demand.

Wray reiterated the same tired talking points as the Attorney General about more and more criminals going dark and so forth, though he then came up with a rather odd declaration.

“I’m well aware that these are provocative subjects in some quarters,” the FBI Director opined. “I get a little frustrated when people suggest that we’re trying to weaken encryption — or weaken cybersecurity more broadly. We’re doing no such thing.”

Except, you know, that’s exactly what he’s calling for. Top crypto boffins are in agreement that putting a backdoor in an encryption system is easy to do, though mathematically impossible or difficult to implement in such a way that unauthorized persons – think miscreants, spies, rogue or bumbling insiders at tech companies – can’t find and exploit said backdoor. Nevertheless, Wray thinks otherwise.

He continued:

It cannot be a sustainable end state for us to be creating an unfettered space that’s beyond lawful access for terrorists, hackers, and child predators to hide. But that’s the path we’re on now, if we don’t come together to solve this problem.

So to those resisting the need for lawful access, I would ask: What’s your solution? How do you propose to ensure that the hardworking men and women of law enforcement sworn to protect you and your families maintain lawful access to the information they need to do their jobs?

Low Barr: Don’t give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

READ MORE

This is where it all goes off the rails. On the one hand, Wray wants to crack encryption so he can snoop on, unmask, and break down the door of, among other scumbags, hackers. And yet, he wants to crack encryption in such a way that, er, hackers can snoop on and unmask citizens by exploiting deliberately introduced weaknesses. In his pursuit of hackers across the nation to protect citizens, he’s potentially tearing down the walls that keep hackers out of citizens’ private spaces.

“I know we’ve started hearing increasingly from experts like cryptographers and cryptologists that there are solutions to be had that account for both strong cybersecurity and the need for lawful access,” he rumbled on. “And I believe those solutions will be even better if we seek them together.”

Yes, there will always be “experts” trying to sell the US government lucrative pie-in-the-sky solutions to this backdoor quandary. Any decent proposed solution will face intense testing and scrutiny. Wray also praised some tech corps for working with the FBI. He cited instances where images of children being sexually abused were posted online using an anonymizing app. FBI investigators worked with the app’s developers to identify the perpetrators, and they were then brought to justice, it is claimed. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/25/encryption_fbi_boss/

The city of Johannesburg in South Africa is battling to get electricity to some customers left in the dark by a ransomware infection.

Utility company City Power today confirmed news reports that file-scrambling malware had invaded and knackered its systems.

That infection basically prevents pre-paid customers from refilling their accounts, and therefore leaves them without electricity if their account balance falls too low.

The city government did not provide details on the type of ransomware that hit the power company, but said that customer information was not accessed in the attack.

“Customers should not panic as none of their details were compromised,” the city said in an update posted Thursday afternoon.

“We apologise for the inconvenience caused to the people of the City of Joburg. Please be patient with us, we expect to have everything back in order by the end of Thursday.”

The city went on to say that it was already in the process of restoring computers hit by the ransomware, although invoicing and fault logging systems were taking additional time to recover.

The infection comes as Johannesburg is in the middle of a cold snap amidst the South African winter. The utility reported earlier this week that it was experiencing capacity constraints as customers used more electricity to keep warm.

Biz tells ransomware victims it can decrypt their files… by secretly paying off the crooks and banking a fat margin

READ MORE

Johannesburg is far from alone in the ranks of cities to fall victim to ransomware attacks. In the US, the city of Baltimore suffered outages at multiple departments earlier this year when a massive ransomware outbreak spread through its network.

Later in the summer, a Georgia state court office had to take some of its recordkeeping services offline in order to address a malware infection that was holding some of its systems for ransom.

More recently, at least one person in the IT department of Lace City, Florida was out of a job after officials caved in and paid the Bitcoin demand from ransomware operators in that city.

While law enforcement groups say it is never advised to pay a ransomware demand, experts note that in some cases it can make more sense for a company to at least consider opening a dialogue with the attackers. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/25/johannesburg_ransomware_infection/

A series of attacks on school district systems leads the governor to declare the state’s first cybersecurity state of emergency.

Louisiana is no stranger to declarations of emergency, but it never had one for a cybersecurity emergency — until this week. A series of attacks on school districts around the state led Governor John Bel Edwards to issue the declaration that brings new resources and statewide coordination to what had been a collection of local cybersecurity events.

By issuing the formal declaration, the governor allows statewide resources from the Louisiana National Guard, Louisiana State Police, Louisiana Office of Technology Services, and Louisiana State University, led by the state Office of Homeland Security and Emergency Preparedness, to be brought to bear on defense, analysis, and remediation efforts. These state resources will join federal resources that have already been briefed, as well as local cybersecurity teams, to address the attacks.

This is not the first time a state emergency declaration has been issued for cyberattacks; in 2016, Colorado governor John Hickenlooper declared a state of emergency due to attacks on that state’s department of transportation.

For more, read here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/louisiana-declares-cybersecurity-state-of-emergency/d/d-id/1335350?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data from an intrusion last year suggests Iron Liberty group may have a new trick up its sleeve, Secureworks says.

Iron Liberty, a Russia-based cyber espionage group known for targeting energy, nuclear, and defense organizations worldwide, may have developed a dangerous new technique called a “man-on-the side” attack.

Secureworks warned about the new threat in a report this week describing a “man-on-the-side” (MOTS) attack to install malware. The security firm says MOTS differs from a typical man-in the-middle (MITM) attack.

“The difference between MITM and MOTS is straightforward,” says Don Smith, senior director of the Counter Threat Unit at Secureworks. “With MITM, the attacker is present on infrastructure the traffic is traversing and can tamper with it,” he says. “With MOTS, the attacker has sufficient access to observe and inject traffic which through timing/bandwidth is consumed by the victim before the legitimate reply arrives.”

The security vendor’s theory is based on its analysis of a campaign last year where Iron Liberty actors managed to install a malware tool called Karagany on a target system without leaving any trace of how they did it. According to Secureworks, its research showed no evidence of a phishing email, drive-by-download, or a malicious link being used to drop the malware on the system.

Secureworks’ forensic analysis showed that Karagany was installed on the system shortly after its user initiated a legitimate request to download Adobe Flash over HTTP from Adobe’s official website. Logs showed that Karagany was installed on the system in the short period of time during when the user request was initiated and the Adobe file was downloaded.

Secureworks found that Kargany files were dropped on the system just 20 seconds after the initial Flash Player binary was downloaded, and by 27 seconds, additional malicious files were downloaded on the system.

Multiple Explanations

“There are several credible explanations for how the Karagany payload was delivered alongside the Adobe installer file,” Secureworks said in its report. But none of them appeared very likely in this case, the company said.

For example, the malware could have been downloaded if Adobe’s website had been compromised. But Secureworks’ investigation showed no indication that such a thing had happened during the compromise timeframe.

Another possibility was that someone with access to the victim organization’s internal or gateway systems had intercepted and manipulated traffic between Adobe and the infected system in a typical MITM attack. Here again, Secureworks was unable to find any signs that such activity had taken place. A third possibility, which Secureworks similarly deemed unlikely, was a Border Gateway Protocol (BGP) attack where the user’s traffic was routed through attacker-controlled systems.

Instead, they believe the Iron Liberty actors likely managed to compromise a router outside the victim organization, and then used it to intercept the Adobe installer request and return a Trojanized response, Secureworks said.

“Being 100% clear, the traffic injection we saw in these cases could have come from Man on the Side or from Man in the Middle,” Smith says. “We do not know how the fraudulent traffic was injected. [It] could have been router compromise or could have been traffic injection.”

For enterprises, attacks like these are another reason not to implicitly trust anything on the Internet. Protecting against a man-on-the side attack is no different from dealing with a man-in-the-middle attack, Smith says.

Some common mitigating tactics include using SSL encryption and checking the hashes of files that are downloaded from the Internet to make sure they match with the original file.

With a man-on-the-side attack, there are two parties trying to respond to the same request and the bad actor’s goal is to get in first, Smith says.

The only way to detect such activity would be to monitor the sequence of packets arriving in response to a request and looking for out of sequence packets arriving and likely being discarded. “You need to be extremely well instrumented to detect it,” Smith says.

Related Content:

• Financial Firms Face Threats from Employee Mobile Devices
• Man-in-the-Middle Flaw in Major Banking, VPN Apps Exposes Millions
• The State of IT Operations and Cybersecurity Operations
• 7 Stats That Show What it Takes to Run a Modern SOC

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-threat-group-may-have-devised-a-man-on-the-side-attack-/d/d-id/1335348?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recently revealed surveillance-ware comes from a consultant with close ties to Russia’s GRU who was sanctioned by the US for election-tampering.

A newly discovered Android malware strain has been tied to a US-sanctioned contractor with close connections with Russia’s GRU.

According to researchers at Lookout, who found and dubbed the malware as Monokle, is able to steal personal information from an infected device and send it to any of a series of command-and-control (C2) servers. One of the unique aspects of Monokle is that it doesn’t need root access to collect its information. Instead, it uses a series of existing techniques in novel ways to get a more complete picture of the user’s data, interests, and on-line habits.

“The malware has a unique set of features. It can modify the Android device’s trusted root certificate, capture the screen unlock sequence, and capture the auto-complete dictionary, among other things. It’s very complete surveillance-ware,” says Adam Bauer, senior staff security intelligence engineer at Lookout.

Monokle’s source has been traced back to Special Technology Center (STC), a Russian defense contractor sanctioned for its role in interfering with the 2016 US presidential election. “The first reason Monokle is notable is because of its ties to a Russian government defense contractor who is also producing antivirus for Android,” says Tim Erlin, vice president of product management and strategy at TripWire. “The second reason it’s notable is because of the extent to which it’s able to gather data and take advantage of of a mobile device.”

According to the Lookout report, Monokle’s ties to STC and the Android antivirus software are found in the code. “STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle,” the report states.

Lookout determined that Monokle is targeting very specific individuals because of the applications that carry the infection. Christoph Hebeisen, senior manager, security intelligence at Lookout, believes the surveillance-ware’s qualities mean that it most likely will remain a tool for spying on high-value targets.

“Ultimately, we believe that this type of software is most likely to be used in targeted attacks, so whether you worry about it or not depends on your threat model,” he says.

The Lookout researchers and Erlin point out, though, that there’s nothing inherent in Monokle’s technology that limits it to a particular target. “In this case, where we’re talking about a tool that’s been discovered in the wild and analyzed, the use of that tool that’s been seen so far has been targeted,” Erlin says. “But that doesn’t mean that the tool itself couldn’t be used in a variety of ways.”

Bauer says that the Monokle code was first found in the wild in samples collected in 2016, but the code wasn’t initially analyzed and found to be malicious until early 2018. Analysis has continued and more details have become clear. “We decided to go public now because of the relevance of this particular threat,” Bauer says. “Once we found that the creator was STC, it became more relevant because the company has been sanctioned due to their connection to GRU in terms of election meddling.”

Erlin says there are specific steps individuals and organizations can take to reduce their risk from the spyware: don’t install apps from untrusted sources or from unknown third-party sources, and install mobile antivirus, he says.

Related Content:

• Android Malware ‘Triada’ Most Active on Telco Networks
• Financial Firms Face Threats from Employee Mobile Devices
• New ‘WannaHydra’ Malware a Triple Threat to Android
• 10 Notable Security Acquisitions of 2019 (So Far)
• Adware Hidden in Android Apps Downloaded More Than 440 Million Times

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/android-spyware-has-ties-to-election-interference/d/d-id/1335351?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Senate Intelligence Committee report released today cites weaknesses, but finds no evidence of vote-tampering.

A newly released US Senate Intelligence Commitee report concluded that the US election infrastructure was vulnerable and failed to stand up to Russia’s election-meddling efforts during the last presidential campaign. 

According to NBC News, the Senate report – the first volume of a series of findings from its investigation – said Russia in 2016 was able to exploit “seams” between state election systems and federal government oversight processes, election databases were poorly secured, and outdated voting machines had no paper trail and were thus vulnerable to tampering.

The US election system was not properly secured or prepared for “extensive activity” by Russia, which occurred between 2014 and into 2017, the report said. Even so, the committee found no evidence of tainted votes.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/senate-report-us-election-security-sorely-lacking-in-2016/d/d-id/1335335?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Some of our readers asked us this week, “What do you guys think of EvilGnome?”

#ICYMI, EvilGnome is a recent malware sample that’s made a few headlines, and although we haven’t seen any examples of it actually popping up in the wild, we thought we’d answer the question anyway.

Because Linux!

As you probably know, Linux malware and hacked Linux systems are very common, for the simple reason that most of the servers that power today’s internet run Linux in some form.

If you’re a cybercrook who wants to spread your Windows malware widely – keyloggers, for example, or banking Trojans, or other network nasties that thieve people’s digital stuff so it can be sold on to the next crook on the cyberunderground…

…then you’re probably going to be relying on hacked or compromised Linux systems for the bulk of your malware distribution.

For that reason, Linux malware generally doesn’t look like Windows malware, and isn’t supposed to, either.

But EvilGnome, rare and unusual though it may be, gets its media-friendly name because it was clearly written to target the comparatively small but committed community who use Linux on their laptops.

EvilGnome starts life as a self-contained file that consists of 522 lines of text – what’s called a shell script because it’s designed to run directly inside a Linux terminal window, known colloquially as a ‘shell’ – followed by a compressed blob of data that carries the rest of the malware along with it.

If you glance at the start of the malware file, all you’ll see is this:

#!/bin/sh
# This script was generated using Makeself 2.3.0

ORIG_UMASK=`umask`
if test "n" = n; then
    umask 077
fi

CRCsum="XXXXXXXXXX"
MD5="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
TMPROOT=${TMPDIR:=/tmp}
USER_PWD="$PWD"; export USER_PWD

label="setup files..."
script="./setup.sh"
scriptargs=""
licensetxt=""
. . .

That looks pretty unexceptionable – in fact, this is what’s called a self-extracting archive, and it was created with a legitimate and widely-used free software packaging system called Makeself.

Several mainstream software tools, such as Oracle’s VirtualBox software, make use of the Makeself toolkit, so the presence of Makeself’s auto-self-extraction code at the start of a Linux file isn’t itself cause for alarm.

After all, the idea is a good one – to make installing your software easier.

Instead of downloading a file in a static archive format such as ZIP, gzip, bzip2, and then decompressing and unpacking the bundle yourself before digging around to figure out how to install it, you just download one self-contained Makeself file and run it.

The shell script then extracts the embedded app into a temporary directory and automatically hands control over to a component that’s just been extracted – in this case, the uncontroversial-looking setup.sh.

Self-extracting archives and installers are commonplace on Windows; this is a way of achieving a similarly simple way of installing even very complex Linux software tools.

Forget about ./configure; make; make install, just run thisfile.sh or thisfile.run directly instead.

Linux doesn’t need file extensions in quite the same way Windows does, but the creators of the Makeself tool recommend adding an extension of .sh or .run anyway, just for clarity.)

What’s good for the goose

Unfortunately, the very tools that make it easier for us to construct self-installing software bundles also make things easier for the crooks.

If you run the EvilGnome self-extractor you will end up with malware installed in a directory called:

~/.cache/gnome-software/gnome-shell-extensions/

To explain.

In Unix-speak, the special filename ~/ means your home directory.

The rest of the file path refers to a temporary subdirectory used by the popular Linux desktop software known as Gnome.

Note that Unix filenames that start with a dot (also known as period and displayed as “.”) aren’t shown by default in most directory listings, so they’re essentially invisible by default.

In any case, .cache is a standard place for apps to store files they think they’ll need again but don’t need to keep forever.

In other words, the ~/.cache/gnome-software/ directory is a great place for malware to hide in plain sight – you’ll probably never see it, but if you do you’ll expect it to be full of random-looking stuff that can largely be ignored.

If you look in the hiding place used by the malware, you’ll find the innocent-sounding files:

gnome-shell-ext
gnome-shell-ext.sh

The names make them look like a Gnome shell extension, a kind of Gnome desktop plugin, but they are the malware app, plus a shell script to launch the app in the background, respectively.

The gnome-shell-ext file is a compiled C++ program; dumping some of the debugging symbols that the crooks left behind gives an immediate hint of what it’s for:

$ nm -C gnome-shell-ext

000000000040b650 T ShooterKey::threadKeysBody()
000000000040b850 T ShooterKey::sendKeys()
000000000040b700 T ShooterKey::ShooterKey()
. . .
0000000000409ce0 T ShooterFile::scanFolder()
0000000000409cb0 T ShooterFile::ShooterFile()
. . .
000000000040bc10 T ShooterPing::sendStoredPackets()
000000000040c560 T ShooterPing::ShooterPing()
. . .
000000000040b280 T ShooterImage::takeScreenshot()
000000000040b260 T ShooterImage::ShooterImage()
. . .
000000000040c610 T ShooterSound::takeSound()
000000000040c5f0 T ShooterSound::ShooterSound()
. . .

According to Intezer, who first broke the news of this malware, and gave it the name EvilGnome, these functions do pretty much what their names suggest.

The takeSound() function can capture audio and upload it; takeScreenshot() speaks for itself, and scanFolder() looks for files to steal.

Intezer says that the ShooterKey:: components aren’t finished (and therefore aren’t used), but it’s easy to guess what these functions might do in a future version – log keeystrokes and thereby sniff out passwords.

Lastly, ShooterPing:: not only communicates back to the crooks but can also download new malware and run it.

That makes this into a general-purpose zombie or bot, namely a remotely controllable software agent that the crooks can harness later for whatever they think of next.

The EvilGnome malware also adds itself to your crontab (a Linux tool for running programs in the background at predetermined times) so that it gets re-launched within a minute if ever crashes or gets killed off.

That means it not only survives a reboot but also comes back to life if you notice it and terminate the suspicious process.

What to do?

As mentioned at the start, we haven’t seen this in the wild, so it’s unlikely you’ll encounter it.

But here are some tips anyway:

• Check for a process called gnome-shell-ext. If found, use kill -9 to terminate it. If if comes back after a minute then this malware is probably already active on your system. Do steps 2 and 3, then repeat this step to kill it completely.
• Check your crontab for an entry like 0-59 * * * * /.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh. That’s a sign that the auto-reloading script has been installed. Remove it from crontab.
• Check for the abovementioned gnome-shell-ext* files. If you remove them then the malware can’t reload even you if haven’t cleaned the crontab.

By the way, Sophos Anti-Virus for Linux is 100% free for home and business use – why not try it?

Our product detects and blocks all types of malware on a Linux system, including Windows and Mac malware.

That means it also stops you serving up dodgy files to other people if some rogue has deliberately uploaded malware to use your server as a temporary malware repository.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E4CH_8oYLak/

It’s been confirmed: insiders said last week that Facebook would be wrist-slapped with a $5 billion fine for losing control of users’ data, and the Federal Trade Commission (FTC) said on Wednesday that yes indeed, that’s what’s happening.

It’s a record-breaking penalty, but it doesn’t satisfy the “break it up” crowd – not at all. Last week, a chorus of Democrats called it a slap on the wrist. An early Christmas present. A drop-in-the-bucket penalty. Chump change. A mosquito bite.

Senator Elizabeth Warren, for one, pointed out that Facebook made $5 billion in profits in just the first three months of last year.

But as the Washington Post reports, over the course of its 16-month privacy investigation, the FTC stopped short of putting some real hurt on Facebook.

Initially, the FTC had entertained the possibility of much tougher punishments, such as a fine that would have reached tens of billions of dollars. Facebook recorded nearly $56 billion in revenue last year.

Ten people familiar with the matter told the Post that the FTC had also considered imposing more direct liability for the company’s chief executive, Mark Zuckerberg. As you might recall, in November 2018, Senator Ron Wyden floated the idea of sentencing execs up to 20 years when they let users’ privacy details slip through their greasy fingers.

Facebook successfully fought tooth and nail to make sure that Mark wouldn’t be wearing orange anytime soon, forcing the commission to back off and settle on the $5 billion wrist-slap. As the Post notes, this is a David and Goliath situation, but David only has marshmallows in his slingshot: Facebook’s revenue last year was about 200 times the budget that federal regulators were working off of.

The gist of Wednesday’s announcement is that the Department of Justice (DOJ) will file a complaint on behalf of the Commission, alleging that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”

These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.

In addition, the FTC alleges that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.

That’s a pile of words that add up to “Cambridge Analytica (et al.)”

Cambridge Analytica recap

According to multiple whistleblowers, Facebook basically turned a blind eye to Cambridge Analytica and other developers scraping away its users’ data.

In a lawsuit against Facebook brought by the tiny, your-Facebook-friends-in-bikinis-centered developer Six4Three – and published during the UK’s Parliamentary probe into fake news and the platform’s privacy practices – Six4Three alleged that Facebook turned off the Friends data API spigot as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to Facebook at bargain-basement prices.

In other words, the user data that Facebook claimed that Cambridge Analytica wrongly got away with is a bargaining chip, according to the fake news inquiry and the private emails of Facebook staff that the inquiry got out of the Six4Three lawsuit and which it subsequently published.

Six4Three has alleged that the correspondence shows that Facebook was not only aware of the implications of its privacy policy, but actively exploited them. The app company asserted that Facebook intentionally created and effectively flagged up the loophole that CA used to collect user data.

In October, the UK’s Information Commissioner’s Office (ICO) fined Facebook £500K for the CA saga. $5 billion may well be chump change, but £500K is more like lint from a chump’s pocket.

It’s the best the ICO could do in pre-GDPR days, though. Those days ended when the body handed out what seemed, at least before this $5b bite, to be whopper fines for data breaches at Marriott and British Airways.

Separate action against Cambridge Analytica

At the same time the FTC announced the Facebook fine, it also said that Cambridge Analytica isn’t off the hook. Nor is former Chief Executive Officer Alexander Nix. Nor is Aleksandr Kogan, whose company, Global Science Research (GSR), created the “thisisyourdigitallife” personality quiz that played the starring role of “straw” for sucking in unsuspecting users’ data in the Cambridge Analytica/Facebook debacle.

The FTC is alleging that they employed “deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.”

The FTC describes how Cambridge Analytica, Kogan and Nix used the information from the personality quiz to train an algorithm that then generated personality scores for the app users and their Facebook friends. Then, they matched the personality scores with US voter records. That matching was like steroids for the company’s voter profiling and targeted advertising services.

The FTC alleges that Kogan re-purposed an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends. Then, in April 2014, Facebook shut off the spigot, announcing that no longer would it allow app developers to access data from an app user’s Facebook friends.

… Well, except for the developers who were already chugging along, that is. Facebook gave developers with existing apps another year to keep guzzling data. The FTC alleges that the GSRApp – another name for thisisyourdigitallife – took advantage of that grace period to collect Facebook profile data from 250,000 to 270,000 users in the US, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable US consumers.

The FTC found that nearly half of the app users originally refused to provide their Facebook profile information. So the GSRApp allegedly began sweet-talking them, telling app users that it wouldn’t “download your name or any other identifiable information – we are interested in your demographics and likes.”

Lies, lies, lies, the FTC alleges. While it was sweet-talking, that app was also reaching its hands into users’ data, the FTC says. The GSRApp went right ahead and collected users’ Facebook User IDs, which connect individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.

Among other allegations of false privacy claims, Kogan and Nix have been prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. The FTC is also requiring them to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data. Nix and Kogan have agreed to the settlement.

Tweaking Facebook

As far as restricting Facebook goes, the FTC has a new 20-year settlement order that it says will overhaul how the company makes privacy decisions and boosts accountability at the board level. It will establish an independent privacy committee of Facebook’s board of directors, thereby removing “unfettered control” by Zuckerberg over decisions affecting user privacy.

Members of that privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

Facebook is also being ordered to appoint compliance officers who’ll oversee its privacy program. They’ll have to pass muster with the new board privacy committee, and the privacy committee is the only one that can remove them.

Zuckerberg and those compliance officers will have to submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. If they try to pull any shenanigans in those certifications, they’ll be liable, as individuals, to civil and criminal penalties.

On Wednesday, Facebook said it’s already made large strides on privacy, but more changes are in the works. Facebook’s Colin Stretch, in a blog post:

We will be more robust in ensuring that we identify, assess and mitigate privacy risk. We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.

Also on Wednesday, the Securities and Exchange Commission (SEC) got in on the act, saying that it would fine Facebook $100 million for misleading investors about the risks it faced from misusing user data.

The Department of Justice (DOJ), which worked with the FTC, said that it “expects Facebook to treat its privacy obligations with the utmost seriousness” going forward.

FTC Chairman Joe Simons:

The relief is designed not only to punish previous violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8EI8tUn77RA/